Apple and Meta sent data to hackers thinking they were cops

Apple and Meta (Facebook), two of the world’s largest technology companies, shared their users’ private information, such as addresses, phone numbers and IP addresses, with hackers who they pretended to be policeas reported Bloomberg, who had access to the details of the ongoing investigation. Both companies fell for the trap in mid-2021, believing the “emergency data request” sent by cybercriminals was real.

Emergency Data Request (EDR) is a kind of legal procedure that can be used by security guards in order to obtain necessary information from a user to be able to conduct an investigation. These types of requests does not require a court order, since it is considered urgent and is performed, in most cases, when there is a life or death situation. Apple, Meta and other companies are obligated to share this data once they have verified that the request is real.

Apple and Meta, in fact, seem to have a rigorous system for check that the procedure is legitimate. “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said. But how could they provide data to a bogus request?

Accept or reject the request, a decision of life or death

According to investigations, the hackers could have sent the fake emergency data requests via real police directions. Falsify, in addition, the signatures of the agents. Accessing internal police systems seems like a straightforward task for cybercriminals, and the practice of sending data requests to obtain information from users is, he says. Krebs on safety, “very effective”. Mainly because the companies concerned – like Apple and Meta, in this case – are obliged to accept a request for these characteristics when they consider that the life of one or more people may be in danger.

This is not the first time this method has been used. to obtain private information from users who use a platform. According to Bloomberg, the practice of falsifying “emergency data requests” began in January 2021, targeting a wide variety of companies operating in the technology sector. Snap Inc. (Snapchat’s parent company) also appears to be one of those affected. However, it is unclear if the company eventually agreed to the request and shared its users’ data with the hackers.